Tag: WordPress

Categories
System Administration WordPress

Installing WordPress Multisite on Linux

WordPress is one of the most popular content management systems in the world estimated to be running over 40% of all websites. Its easy to use of use, has a massive theme and plugin ecosystem, and it’s super flexible for both personal websites and businesses.

I’ve been using WordPress since the start of my career over 15 years ago. It’s always been my first choice as a Website platform and is the option that I recommend for many use cases.

In this post I’ll outline the steps for installing and configuring WordPress as a multisite. WordPress Multisite is a powerful feature that allows you to run multiple WordPress sites from a single WordPress installation. This is particularly useful for businesses or individuals who need to manage multiple websites but want the convenience of a single dashboard. With Multisite, you can create a network of sites with shared plugins and themes, making it easier to maintain consistency and control across all your sites.

I built my first WordPress Multisite a few years ago, around 2018, when I worked as Technical Lead for a publishing company. We had 30 websites all with similar functionality and design that I thought would suit the multisite features. It was painful having to manage all 30 sites as separate instances with separate user logins, having to keep all 30 up to date. Moving the sites into a multisite reduced the maintenance load, and the cost of running that amount of websites, and since then I’ve built and managed several fairly large multisite installations.

I’ve chosen to install WordPress multisite on a Linux distribution such as CentOS or AlmaLinux. Enterprise Linux distributions are well known for their stability, security, and support and used heavily in Web hosting. Using any of these distributions as a web server for WordPress ensures a reliable and secure hosting environment, critical for maintaining website performance.

Before you begin, ensure you have the following:

  • A server running RHEL, Oracle Linux, CentOS, or AlmaLinux.
  • A non-root user with sudo privileges.

I wont detail where to host your server in this article. I assume for the sake of convenience that you’ve already got a Linux server running in either a public cloud such as Amazon AWS or on a virtual machine running on your own PC. Any of the Enterprise Linux variants should do fine, the steps should be the same regardless.

Install Apache, PHP and MySQL

Apache is one of the most popular web servers in the world and is well-supported by WordPress and the web development community. It’s usually the default choice when installing WordPress.

$ sudo dnf install httpd -y
$ sudo systemctl enable --now httpd

MariaDB is a popular open-source relational database management system and is fully compatible with MySQL, which is the database system that WordPress uses.

$ sudo dnf install mariadb-server mariadb -y
$ sudo systemctl enable --now mariadb

Run the following command to secure your MariaDB installation.

$ sudo mysql_secure_installation

Follow the prompts to set the root password and remove anonymous users, disallow root login remotely, remove test databases, and reload privilege tables.

PHP is the progamming language that WordPress is built on. Your server needs to have PHP installed so that it can execute the code and produce your website. By default, Enterprise Linux 8 will install PHP 7.2, which is bit old and past it’s end-of-life, so we’ll install PHP 8.2 from App Streams instead.

$ sudo dnf module list php
$ sudo dnf module enable php:8.2
$ sudo dnf install php php-mysqlnd -y
$ sudo systemctl restart httpd

Log in to MariaDB and create a database and user for WordPress.

$ sudo mysql -u root -p

Then, run the following commands.

CREATE DATABASE wordpress;
GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpressuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
EXIT;

Changing ‘wordpressuser’ and ‘password’ for a username and secure password of your choice. This is the user details that WordPress will use to connect to the database, so it’s critical that these details are secure.

Navigate to the web root directory and download the latest WordPress package

$ cd /var/www/
$ sudo rm -rf html/
$ sudo wget https://wordpress.org/latest.tar.gz
$ sudo tar -xzvf latest.tar.gz
$ sudo mv wordpress html
$ sudo chown -R apache:apache /var/www/html
$ sudo chmod -R 755 /var/www/html

Create an Apache configuration file for WordPress.

$ sudo vim /etc/httpd/conf.d/wordpress.conf

Add the following configuration.

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName example.com
    ServerAlias www.example.com

    <Directory /var/www/html>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog /var/log/httpd/wordpress-error.log
    CustomLog /var/log/httpd/wordpress-access.log combined
</VirtualHost>

Include the email address and domain name you wish to use for your website. In a WordPress multisite the domain name will be the primary network domain, however when you add subsites to the network you can change the subsite domain names from the WordPress dashboard.

Configuring SELinux

After configuring Apache, you might need to configure SELinux to allow Apache to serve WordPress files and communicate with the database. If you’ve followed the above configuration and your website doesn’t appear to work or you’re getting forbidden error messages, you will need to complete the follow configuration.

Note: Many people online suggest disabling SELinux out of convienience. Please don’t do that, SELinux is built into the Linux kernel to provide security access controls and is important to maintain the security of your Linux system, it’s better to configure SELinux properly rather than disabling it.

Set the proper file context for WordPress files

$ sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?"

$ sudo restorecon -Rv /var/www/html

Allow Apache to connect to the database

$ sudo setsebool -P httpd_can_network_connect_db 1

Restart Apache

$ sudo systemctl restart httpd

You should now be able to access your WordPress installation. Open your web browser and navigate to http://your-server-ip. Follow the on-screen instructions to complete the initial installation.

If everything went correctly and the installation was able to connect to the database properly, you should now be able to login to your WordPress admin dashboard by navigating to http://your-server-ip/wp-admin.

After the initial installation, follow these steps to configure WordPress Multisite with subdomains:

Edit wp-config.php: Add the following lines above the line that says /* That's all, stop editing! Happy publishing. */:

define('WP_ALLOW_MULTISITE', true);

Install the Network: Refresh your WordPress dashboard. Navigate to Tools -> Network Setup. Select “Sub-domains” and click “Install”.

You will most likely need to enable the Apache mod_rewrite module to allow for WordPress to rewrite the site URLs.

Enter the following command, and if there’s no output you’ll need to enable the module by editing the file /etc/httpd/conf.modules.d/00-base.conf and uncommenting the line for rewrite_module.

$ httpd -M | grep rewrite
 rewrite_module (shared)

Update wp-config.php and .htaccess: WordPress will provide some code to add to your wp-config.php and .htaccess files. Edit these files and add the provided code. wp-config.php: Add the following code just below the line define('WP_ALLOW_MULTISITE', true);:

define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', true);
define('DOMAIN_CURRENT_SITE', 'example.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

.htaccess:

Replace the existing WordPress rules with the provided Multisite rules:

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]

If necessary, you might need to restart Apache.

sudo systemctl restart httpd

You should be able to refresh your Web browser and re-login to WordPress and if everything was successful, you should be able to access the Network Admin section of the WordPress dashboard.

From here you can add sub-sites, you can install themes and plugins that all sub-sites will be able to use, and you’ll be able to manage user access across each site in your network.

Configuring the Linux Firewall

To ensure that your WordPress site is accessible from the web, you will need to configure the firewall on your server to allow HTTP and HTTPS traffic as well as SSH traffic, but restricting access to everything else.

First, check if firewalld is running on your server:

sudo systemctl status firewalld

If it is not running, start and enable it:

$ sudo systemctl enable --now firewalld

To allow HTTP (port 80) and HTTPS (port 443) and SSH (port 22) traffic through the firewall, run the following commands:

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --permanent --add-service=ssh

After making these changes, reload the firewall to apply the new rules:

$ sudo firewall-cmd --reload

To verify that the rules have been added correctly, you can list the current firewall rules:

$ sudo firewall-cmd --list-all

Security Improvements

By default WordPress is relatively secure if you keep it up to date, however it’s only as secure as it’s weakest part. By following a few basic security practices you’ll minimise the risk of your website being vulnerable to attack.

Update WordPress regularly
Ensure your WordPress installation, themes, and plugins are always up-to-date to protect against vulnerabilities.

Use strong passwords
Use complex passwords for your WordPress admin account, database user, and any other user accounts.

Install security plugins
Consider using security plugins like Wordfence to add an extra layer of protection. Wordfence lets you limit login attempts, it scans your site for security vulnerabilities and automatically blocks malicious activity.

Secure Your .htaccess File
Add rules to your .htaccess file to prevent unauthorized access to sensitive files:

<Files wp-config.php>
  order allow,deny
  deny from all
</Files>

<Files .htaccess>
  order allow,deny
  deny from all
</Files>

Enable SSL
Install an SSL certificate to encrypt data transmitted between your server and your users. You can obtain a free SSL certificate from Let’s Encrypt and configure Apache to use it.

Another option for providing SSL certificates is to host your website behind Cloudflare and use their SSL certificates and Web Application firewall. I won’t detail Cloudflare setup in this post but it’s well worth considering.

Regular backups
Set up regular backups of your WordPress site, including the database and files, to ensure you can quickly recover in case of an incident.

You should now have a robust and flexible platform configured to host multiple websites from a single dashboard running on a solid, Enterprise grade Linux operating system.

Categories
Security

How to Improve the Security of Your Website

As a website owner, keeping your site secure should be a top priority. Cyberattacks, data breaches, and malware infections can harm your reputation, disrupt your operations, and put your users at risk. Fortunately, there are practical steps you can take to enhance your website’s security.

Keep Your Software Updated

One of the most common vulnerabilities in websites comes from outdated software. Whether it’s your content management system (CMS), plugins, themes, or server software, failing to update can leave your site exposed to known exploits.

  • Enable automatic updates whenever possible.
  • Regularly check for and install updates manually.
  • Remove unused plugins or themes to minimize potential vulnerabilities.

Use Strong, Unique Passwords

Weak passwords are an open invitation to hackers. Using strong, unique passwords for all website accounts significantly reduces the risk of unauthorised access.

  • Use a password manager to generate and store complex passwords.
  • Implement multi-factor authentication (MFA) for an additional layer of security.
  • Regularly update passwords, especially for admin accounts.

Enable HTTPS

Switching from HTTP to HTTPS encrypts data transmitted between your website and its users, protecting sensitive information like login credentials and payment details.

  • Obtain an SSL certificate from a trusted provider. Many hosting companies offer free SSL options.
  • Configure your site to redirect all traffic to HTTPS.
  • Regularly check your SSL certificate’s validity and renew it as needed.

Perform Regular Backups

A robust backup strategy ensures you can quickly recover your website if it’s compromised.

  • Schedule automated backups for your website files and database.
  • Store backups in a secure, separate location.
  • Test backups periodically to ensure they can be restored without issues.

Limit User Privileges

Not everyone needs full administrative access to your website. Assign roles and permissions based on what each user needs to do.

  • Create separate accounts for each user.
  • Use the principle of least privilege (give users only the access they need).
  • Regularly review user accounts and remove those no longer required.

Install Security Plugins or Tools

Security plugins and tools can help monitor your site for vulnerabilities, malware, and suspicious activity.

  • Use a security plugin like Wordfence or Sucuri for WordPress sites.
  • Enable firewalls to block malicious traffic.
  • Regularly scan your site for malware and vulnerabilities.

Perform Security Assessments

A website security assessment identifies vulnerabilities and potential risks before they’re exploited.

  • Schedule regular security assessments with a professional.
  • Implement recommended changes to address vulnerabilities.
  • Stay informed about the latest threats in website security.

Protect Against DDoS Attacks

Distributed Denial of Service (DDoS) attacks can overwhelm your server and take your site offline.

  • Use a Content Delivery Network (CDN) like Cloudflare to distribute traffic and absorb attacks.
  • Configure rate limiting to restrict the number of requests a user can make.
  • Monitor traffic for unusual spikes that could indicate an attack.

Final Thoughts

Website security isn’t a one-time task—it’s an ongoing effort. By implementing these measures and staying vigilant, you can significantly reduce the risk of cyberattacks and keep your site safe for you and your visitors.

Need expert assistance to secure your website? Get in contact for a comprehensive security assessment and tailored protection solutions. Together, we can make your website a fortress against cyber threats.